CVE-2025-10061Improper Input Validation in INC Mongodb Server

CWE-20Improper Input Validation4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 66.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedSep 5

Description

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and Mong

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server6.06.0.25+3
NVDmongodb/mongodb6.0.06.0.25+3

🔴Vulnerability Details

3
OSV
CVE-2025-10061: An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query2025-09-05
CVEList
Malformed $group Query May Cause MongoDB Server to Crash2025-09-05
GHSA
GHSA-5866-fxhr-9hjf: An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query2025-09-05
CVE-2025-10061 — Improper Input Validation | cvebase